Identity Theft
 Ten million Americans have their
identities stolen each year.
10,000,000
 Thieves drain their accounts, damage
their credit and even endanger their
medical treatment.
Red Flags Rule
 Enforced by the Federal Trade
Commission (FTC), the federal bank
regulatory agencies, and the National
Credit Union Administration.
 Requires organizations to implement a
written Identity Theft Prevention
Program
 Designed to detect warning signs – or
“red flags” – of identity theft in their
day-to-day operations
 Take steps to prevent the crime, and
mitigate the damage it inflicts
 Be better equipped to spot suspicious
patterns when they arise and take steps
to prevent a red flag from escalating into
identity theft.
Who Must Comply with
the Red Flags Rule
STC Must Comply – Covered Accounts
 Student Installment Accounts
 Student Emergency Loans
 Student Higher One Jag-Card
All functions connected to our students are
subject to the Red Flags Rule –
 Registration
 Employment
 Payments
 Financial Aid
 Scholarships and Awards
 Etc.
Red Flags Rule - Overview
1. Identify relevant red
flags.
2. Detect red flags.
3. Prevent and mitigate
identity theft and
respond accordingly
4. Update the program.
Program Sections
 Section 1: Program Background and








Purpose
Section 2: Definitions
Sections 3: Scope
Section 4: Guidelines
Section 5: Identify Relevant Red Flags
Section 6: Detect Red Flags
Section 7: Prevent, Mitigate and
Appropriately Respond to
Identity Theft
Section 8: Periodic Updates to Plan
Section 9: Program Administration
Section 1
Program Background and Purpose
1. October 12, 2008 - Board
of Trustees approved Board
Policy # 5470, Identity Theft
Policy, and approved the
initial guidelines.
Section 1
Program Background and Purpose
1.
The initial guidelines have since been
updated to ensure they are closely aligned
to the FTC’s requirements and the College’s
operations.
2. Each department is responsible to
developing procedures within their
operation and ensuring their
implementation and compliance.
3. These guidelines have some best
practice to follow.
Section 1
Program Background and Purpose




Guidelines:
Define sensitive information
Describe security measures
In compliance with laws



Risk to:
Employees
Students
Contractors/Vendors

Section 2
Definitions






Identity Theft:
Fraud committed or attempted
using the identifying
information of another person
without authority.
Red Flag:
A pattern, practice, or specific
activity that indicates the
possible existence of identity
theft.
Identifying Information:
Any name or number that may
be used, alone or in conjunction
with other information, to
identify a specific person.
Section 2
Identifying Information
Section 3: Scope
Students, Employees, Contractors - at the College
Section 4: Guidelines
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
Faxed information
Payroll information
Hardcopy documents
Files
Addresses
Codes
Un-discarded documents
Computer documents
Whiteboard information
Social security numbers
Writing tables information
Medical information
Credit card information
Section 4: Guidelines
Section 5: Identify
Relevant Red Flags





Covered accounts
Risk factors
Sources of red flags
Categories of red flags
Alerts, notifications or other warnings
received from customer reporting
agencies
 Address discrepancy
 Usual pattern of activity
 Number of recently established credit
relationships
 Material change in use of credit
 Accounts closed for cause or abuse of
account privileges
Section 5: Identify
Relevant Red Flags
 Suspicious documents
 Altered or forged
 Photograph or physical description on
ID is not consistent with appearance of
individual
 Other information is not consistent
Section 5: Identify
Relevant Red Flags
 Suspicious personal identifying
information
 Information not consistent with external
gathered information
 SSN listed on the SS Administration
Death Master File
 Lack of correlation between SSN range
and date of birth
Section 5: Identify
Relevant Red Flags
 Suspicious personal identifying
information
 Information provided already on





fraudulent application previously
submitted
Address is fictitious (a prison)
Phone number is invalid
SSN, address, phone number, provided
is the same as that previously submitted
by someone else
Information is not consistent with that
on file with the College
Unable to answer security questions
(beyond what is found in a person’s
wallet)
Section 5: Identify Relevant Red Flags
How will you do this?
Section 6
Detect Red Flags
 Each organizational unit will develop
and implement specific methods and
protocols to meet the requirement of
this Program.
 Require current government-issued ID







cards, such as driver’s license or passport
Compare data
Ask challenge questions (don’t use
information available in wallet)
Authenticate students
Monitor transactions
Verifying the validity of change of
address requests
Use passwords
Use PIN numbers
Section 6: Detect Red Flags
How will you do this?
PROCEDURES
Section 7
Prevent, Mitigate and Appropriately
Respond to Identity Theft
 Contact the student
 Monitor an account for evidence
 Change passwords
 Not opening a new account until further
information is received
 Notifying law enforcement
Section 7
Prevent, Mitigate and Appropriately
Respond to Identity Theft
 Write a description of the fraudulent
activity and report it
 Cancel the transaction if fraudulent
 Determine the extent of liability
 Notify the actual customer that the
fraud has been attempted
Section 7: Prevent, Mitigate and
Appropriately Respond to Identity Theft
How will you do this?
Section 8
Periodic Updates to Plan
 Re-evaluate program at periodic
intervals
PROCEDURES
 Assessment of accounts covered in the
program
 Revise red flags for updates, deletions,
replacements
Section 8
Periodic Updates to Plan
 Revise actions to be taken in the event
that fraudulent activity is discovered
Section 9
Program Administration
 Involvement of management
 Warrants the highest level of attention
 Written program and operation are
responsibility of President or designee
 President or designee must approve
material changes
 Staff is responsible for implementation
and is responsible for at least annually
reporting on compliance by the College
with the Program
Section 9
Program Administration
 Staff training
 HR is responsible for training annually
 Service providers
 Also responsible for maintaining a
identity theft prevention program
Questions?
Sources: Federal Trade Commission – Protecting America’s Consumers
Fighting Fraud with the Red Flags Rule – A How-To Guide for Businesses